Wi-Fi: Essential Checklist

On Fri, 28 Nov 2008 18:02:52 -0500, Warren Oates wrote in :

Simple but dangerous. Once the PSK (pre-shared key) is shared, it's compromised -- you have no control over what those people will do with it.

Worse, wireless sessions with PSK are *not* protected from each other, so wireless traffic can be snooped by anyone with the PSK, intentionally or otherwise (think infected computer).

Better to run WPA Enterprise, which allows you to hand out unique credentials to anyone. Authentication options include ZyXEL G-2000 Plus (wireless router with built-in PEAP server)

Reply to
John Navas
Loading thread data ...

On Sat, 29 Nov 2008 10:33:57 -0800, Jeff Liebermann wrote in :

That's why I'm a big fan of hard disk passwords, and even better encrypting hard disks. You could steal my laptop, but you'd not be able to access any of the data on the hard disk (short of major forensic cracking at least).

Agreed.

Likewise.

It's a bit like saying, condoms sometimes fail, so don't bother to use them. Really, really stupid. I'm sure he knows better.

Nope. Once the computer is running the drive is unlocked.

WPA does protect your computer from attack over the wireless network.

Reply to
John Navas

In my experience, I find it far better to leave the car's doors unlocked (especially when it is likely to experience a break-in) than have to endure the damage caused by forced entry and subsequent costs of repair. Just make sure not to leave valuables in the car. Likewise with an open access point - provide nothing of value to the intruder and provide advertisement about your network, website, etc. in the event of a visitor.

I have not read the article but I tend to agree that association and joining of a wireless network in a residential or public space is best done wide open, with the security at other layers, rather than at the access point. In a mission-critical wireless network however, good security for joining the network may be needed if even just for bandwidth management.

Michael

Reply to
msg

I'm lazy. I just keep my major files and apps on a USB drive:

The important files are individually encrypted. I tried using the encryption utilities that came with the drive, but had problems. The big problem is that the USB flash drive is much slower than a hard disk. That's a problem when Firefox has to load and index a zillion email messages.

I dunno. I looked carefully at his writing style. Besides the previously mentioned revealing slip (double negative), I see at least

3 different sentence styles and 4 different paragraph structures. It kinda looks like this is a conglomeration of several articles, with heavy editing by the Wired Magazine editors. It might even be possible that someone else added that paragraph. Dunno, but sad.

I use the routers "AP isolation" feature (which is actually client isolation) to keep the connected client laptops from both seeing and attacking each other. You could be running a totally insecure laptop, with wide open shares, and still be safe from wireless attack in a coffee shop. However, that does nothing to prevent wireless sniffing.

Reply to
Jeff Liebermann

But IMHO a preferred solution for all types of networks susceptible to snooping. I prefer an open WAP with all private traffic over encrypted tunnels and public access for strangers with various advisories available in html, ftp, etc. advising terms of use.

Bandwidth controls may need to be implemented separately to handle DoS attacks.

Michael

Reply to
msg

If you did that in a car-park in the UK, you'd almost certainly return to an empty space and your car would be on its way to Nigeria.

A mate of mine did that - he had a soft-top TVR and it was very costly to fix the hood. Car never got nicked because it was LHD and a pig to drive.

Reply to
Mark McIntyre

On Sat, 29 Nov 2008 13:56:51 -0800, Jeff Liebermann wrote in :

I'm lazy too. My primary fast hard disk is unlocked by the same password that unlocks my computer. Couldn't be easier or faster.

Fair enough, but WPA does nonetheless protect your computer against wireless attack, with the caveat that you're not protected from wireless clients using the same PSK.

Reply to
John Navas

On Sat, 29 Nov 2008 15:53:00 -0600, msg wrote in :

Simply running a wireless network is an advertisement, and even with encrypted tunnels your computers are still open to attack unless you also have wireless to wireless isolation (along with wireless to wired isolation if you have wired computers as well). You otherwise increase your vulnerability substantially.

Then with all due respect you really shouldn't be commenting.

Reply to
John Navas

Please elaborate what forms of attack you consider likely here and why segment isolation is indicated? When the only routes available to the stranger wireless client are directed to an isolated honeypot that serves as an advertisement vehicle (not SSID adverts, but real html, text, etc. adverts and terms of use statements), and useful routes are only accessible through the tunnels (IPSec), what attack do you anticipate? As for 'internal' security, (on the VPN, VLANS, etc), that is a matter for policy decisions on the internal network and not in the domain of wireless security

Huh? If you quoted my full statement in context you would see that I am agreeing with a proposition of the quoted poster, not something from the 'unread' article.

Michael

Reply to
msg

Quite!

I've read it and the final para does actually say "In my opinion, securing my wireless network isn't worth it." which has an obvious unspoken continuation. "I don't bother to secure my network, and I'm a security /expert/ so...."

Reply to
Mark McIntyre

On Sat, 29 Nov 2008 17:11:09 -0600, msg wrote in :

I saw nothing about this in your earlier post. Are you scrambling? ;) Regardless, how exactly is this set up?

Any of the myriad of possible attacks.

I disagree -- it's all one network.

Reply to
John Navas

That's Maginot Line thinking.

"Those who cannot remember the past are condemned to repeat it."

-George Santayana

On Fri, 28 Nov 2008 14:27:06 -0500, John Mason Jr wrote in :

Reply to
John Navas

Euh, thats the kind of approach that leads to costly customer data loss. Security policy shouldn't be divided up into little empires.

Reply to
Mark McIntyre

I configure my external wireless networks as I would any wired network, anticipating, and even expecting and possibly suggesting that strangers 'plug in' to it (wired or wireless -- it shouldn't matter). Should I design some ethernet scrambling technology too (at the physical layer) ?

The external wireless access points are on an IP subnet routed by an OpenBSD border router which also is the head end for IpSEC and IKE from external wireless; nothing else is on that subnet. Stranger clients get access to a limited set of resources (for advertising purposes) such as http to an internal server, DNS, DHCP, and IKE and VPN negotiation services; all services are handled by port forwarding and in some cases internal Natting. The address pool presented to the external client is RFC 1918; stranger clients are welcome to browse the presented web pages, use the bulletin board, or do other things as I see fit; the only security issues for me here are at the service endpoints -- the user can sniff all he wants and will only see this traffic or encrypted payloads from VPN users.

I cannot imagine (in an unclassified network) imposing draconian network level security on internal users; applications, database encryption, access control etc. seems to me to be more appropriate at this level.

Michael

Reply to
msg

On Sat, 29 Nov 2008 15:22:58 -0800, John Navas wrote in :

That's not the relevant question in any event. The relevant question is: What attacks have you not anticipated? The answer to that question is, of course, unknowable, which is part of why it makes no sense to forgo the easy and substantial protection afforded by securing the wireless network.

Reply to
John Navas

I should point out that my open access networks are by choice and design to encourage stranger connections; public access is part of the mission.

Michael

Reply to
msg

On Sat, 29 Nov 2008 17:56:51 -0600, msg wrote in :

Other security issues for you include mistakes you may have made, holes you may have missed, and exploits in your equipment you may not know about. There is no such thing as a secure network.

WPA is anything but draconian.

Reply to
John Navas

Again, I wasn't responding to the article. I was responding to you.

Reply to
Char Jackson

On Sat, 29 Nov 2008 22:03:50 -0600, Char Jackson wrote in :

Without having read the article you know nothing about the context of what he wrote.

Reply to
John Navas

Three problems:

  1. I hate one-line unsubstantiated comments (like this one).
  2. How can you provide an informed opinion on my comments about something you haven't read? You might comment on my style and logic, but few readers care much about those. It's the validity of the sage advice on wireless encryption, offered by a security expert, in a widely destributed Wired Magazine article, that is important. If you haven't read the article, I don't see how you can have an opinion about the article's advice.
  3. I suggest that you try really hard not to attack the person making the comments and concentrate on the content. I kinda blew it with my initial rant, for which I promised to resist the temptation to repeat the mistake. If you haven't read the article, you know nothing of the content.

I also avoided responding to your previous posting, which offered no substantiation for any of your opinions, and only questioned my logic and interpretations. With all due respect, I really don't care about anyone's opinions. It's the logic and facts that they offer to substantiate those opinions that I find interesting and useful.

For example, you asked:

Instead of commenting on the validity of my interpretation, you decided that it would be more fun to attack my logic. Do you really need an answer as to how I derived my conclusion? How will that be useful to anyone reading it? If my logic were defective, you couldn't offer an alternative, surely without actually reading the article.

Like I said.... I hate security discussions.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.